NINJIO PCI targets any users who have access to credit card data or handle credit cards as part of their day-to-day responsibilities.
With the number of restaurants and retail employees handling credit cards daily, our fourth PCI compliance episode is intended as a “stand-alone” focusing exclusively on “card-handling.” If you only need to train your front line people on card handling, this episode would suffice.
Install firewall software or equivalent protections on any portable computing devices that connect to the Internet when outside the network, and which are also used to access the cardholder data environment (CDE).
This requirement applies to employee-owned and company-owned portable computing devices. Systems that cannot be managed by corporate policy introduce weaknesses and provide opportunities that malicious individuals may exploit. Allowing untrusted systems to connect to an organization’s CDE could result in access being granted to attackers and other malicious users.
Never send unprotected primary account numbers (PANs) by end user messaging technologies (for example, email, instant messaging, SMS, chat, etc.).
Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers). Note: this applies to any employee-owned devices that are allowed on the network and not managed under an Master data management (MDM) program.
Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users unless specifically authorized by management.
Limit access to system components and cardholder data to employees whose job requires such access.
Maintain strict control over the storage and accessibility of media.
Destroy media when it is no longer needed for business or legal reasons.
Examine the periodic media destruction policy and verify that it covers all media and defines requirements.
Hard copy materials must be crosscut shredded, incinerated, or pulped so there is reasonable assurance the hard copy materials cannot be reconstructed period.
Protect devices that capture payment card data from tampering and substitution.
Regularly test security systems and processes.
Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.